Our Privacy Policy

Our Policy

Silcock Leedham Consulting Engineers Ltd, Verisys Ltd and Zero Energy Design Ltd is committed to complying with data protection law and to respecting the privacy rights of individuals.

The majority of data stored is ‘non-personal’, but where personal data is received from our customers this policy explains how we protect any information we receive, in line with GDPR and the Data Protection Act 2018.

What is personal Data?

Personal data is defined by the General Data Protection Regulation (the “GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.

Personal data is therefore any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.

By contacting us with an enquiry or employing us on a project you are consenting to our contact on current and upcoming projects.

In order to execute your project, you will need to consent to us sharing this data with other consultants, suppliers and contractors servicing your project. We may also need to share your project data with our insurers or for compliance with a legal obligation. We will not use your personal data or pass it onto 3rd parties for marketing purposes.

In line with our insurers recommendations our retention period is 12 years from the end of the project completion.

Security of Data

In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we hold.

No personal data will be disclosed to 3rd parties that are not involved in the servicing of your project.

Most data is held electronically on our secure sever and is protected from unauthorised persons, and also malicious hacking attempts.

Employees have access to the server via individual password protection to their laptops / work stations and remote access via individual password protection.

Any stored data on removable devices, when not used, will be stored away securely in a locked location

Employees are to store information on the secure server only and not to store locally on computer hard drives. All hard drives are encrypted.

Data is backed up regularly

Servers and computers are protected by security software and a firewall

We hold a Cyber Essentials Plus Accreditation

Data subject rights

Under Data Protection Laws individuals have certain rights in relation to their own personal data. In summary these are:

The rights to access their personal data, usually referred to as a subject access request

The right to have their personal data rectified;

The right to have their personal data erased, usually referred to as the right to be forgotten;

The right to restrict processing of their personal data;

The right to object to receiving direct marketing materials;

The right to portability of their personal data;

The right to object to processing of their personal data; and

The right to not be subject to a decision made solely by automated data processing.

The exercise of these Rights may be made in writing, including email, and also verbally and should be responded to in writing by us (if we are the relevant data controller) without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. We must inform the individual of any such extension within one month of receipt of the request, together with the reasons for the delay.

Where the data subject makes the request by electronic form means, any information is to be provided by electronic means where possible, unless otherwise requested by the individual.

If we receive the request from a third party (e.g. a legal advisor), we must take steps to verify that the request was, in fact, instigated by the individual and that the third party is properly authorised to make the request. This will usually mean contacting the relevant individual directly to verify that the third party is properly authorised to make the request.

There are very specific exemptions or partial exemptions for some of these Rights and not all of them are absolute rights. However, the right to not receive marketing material is an absolute right, so this should be complied with immediately.

Where an individual considers that we have not complied with their request e.g. exceeded the time period, they can seek a court order and compensation. If the court agrees with the individual, it will issue a Court Order, to make us comply. The Court can also award compensation. They can also complain to the regulator for privacy legislation, which in our case will usually be the ICO.

In addition to the rights discussed in this document, any person may ask the ICO to assess whether it is likely that any processing of personal data has or is being carried out in compliance with the privacy legislation. The ICO must investigate and may serve an “Information Notice” on us (if we are the relevant data controller). The result of the investigation may lead to an “Enforcement Notice” being issued by the ICO. Any such assessments, information notices or enforcement notices should be sent directly to our Data Officer from the ICO.

Queries

If you have any queries about this Policy you can contact us by post, telephone or email to discuss our retention and use of your personal data or to withdraw consent.